Hot Buttons

To SaaS or Not to SaaS? Control and Cost Issues

Too often, all the costs and risks are not considered when analyzing software as a service offerings. Here’s advice on weighing the pros and cons.

When implementing technology solutions, there are invariably different kinds of costs involved. The price tag on the product or service is the easily visible part. The more important consideration is properly identifying the real costs of using the technology. SaaS is a case in point

There is currently a lot of hype about software as a service (SaaS) offerings. In the SaaS model, the software application is remotely hosted, or stored and maintained, by the service provider. You simply go to a site on the Internet where you are, by subscription or contract, allowed to use the program. The data that results is, like the software itself, held by the provider, not you.

Many are touting the benefits of SaaS, from the cost savings in hardware to the ability to remotely access the data from anywhere. And more SaaS offerings are being designed for the legal market, from time and billing and case management to electronic discovery tools. But here’s something to consider: Essentially, SaaS is a different way to spell “application service provider” (ASP).

The failure of the ASP model should still be fresh in many lawyers’ minds. Even as the stock market was all bullish for technology companies, ASPs were busy flaming out. Clever folks on Madison Avenue therefore renamed the offerings to get away from the stigma of the past and make another run at it.

So what are the concerns with the model, which, to be fair, also has its benefits? No matter what label you put on these products, the chief issue is that law firms need to be very protective of their data and that of their clients. Before you decide to move your sensitive data from the traditional inhouse client-server model over to the SaaS world, here are things you need to consider carefully.

Who’s in Charge Here?

The traditional client-server model puts total control in the law firm’s hands. The data is held internally, and access to it can be restricted to allow only internal network access or specific IP addresses. You can choose to encrypt the data locally (which we recommend) or leave it in plain text. Either way, it resides within the technology walls of the firm and the firm controls the access.

In contrast, the SaaS model by definition puts your data in the hands of a third party. This isn’t necessarily a bad thing, but do you really know if your sensitive information is safe? The provider’s security must be very strong to make sure that only authorized personnel can get to the firm’s confidential information. Your contract with the provider may—and should—specify that the data be stored in encrypted form. But what if a disgruntled employee has access to the tools that allow her to decrypt your client data and sell it to the other side in a major litigation? In addition, when you contract with a SaaS provider, you are required to accept the service as the provider delivers it to you. This means that any upgrades or bug fixes will be implemented by the provider. Sounds like a good thing? Maybe. But perhaps the upgrade requires paying additional fees or takes your old data through a conversion process that drops two very important field values, which have to be added back manually. The client-server model leaves the upgrade decision to you, which means that you may elect to keep your current version if the upgrade doesn’t offer any significant functionality. Forced updates are a constant irritant for law firms, as very few are crazy about having to make upgrades that don’t show bang for the buck or that require relearning some aspects of the software.

Another issue is that access is, by design, dependent on the speed and stability of your Internet connection. And Internet connections, as we’ve all miserably learned, do sometimes go down. Should yours, you will not have access to your data on the SaaS server. Alas, there aren’t many judges who are sympathetic to your problems if you miss a filing date because your Internet connection went down. Dual network connections to the Internet are the solution for smart firms, although this will mean an increase in cost over what is normally installed at the firm.

Besides the security and access concerns, the financial stability of the provider should be a major consideration, especially in these economic times. The last thing you need is to have the provider go out of business. But even if it stays on solid ground, you still want an exit strategy, since at some point you may want to move to another provider or bring the function back in house. In either event, the cost of migrating your data can be significant. Accordingly, you should make sure that the contract provides for specific costs and timetables to facilitate the move.

Where SaaS Scores Points

Now, in the interest of fairness, let’s look at the upsides of SaaS. Certainly, there can be some financial advantage to contracting service to a third-party provider. Because the actual processing occurs at the SaaS provider’s end, it minimizes your investment in hardware and software. The users in your firm are really only using keyboard and mouse and passing screen data over the communications link. All configuration and data hosting are external to your firm’s infrastructure.

Also, in the SaaS model costs can be further minimized based on the number of users or the amount of data storage volume. Either way, it’s fairly easy to identify the price tag and reliably budget for the service, which is a big selling point for a lot of firms. Note, however, that getting these “stable” price points may require contract terms of three to five years, which is a pretty long commitment for the firm.

Another advantage to SaaS is the rapid reaction time to changes. It is very fast to add new users or increase the amount of space for data storage. And, of course, many firms like the mobility aspect, since they can access SaaS applications from any machine with a Web browser. Typically there isn’t anything special that needs to be installed on the client computer. The user only needs a browser and perhaps a Java plug-in to access the application. This means that it’s easy to gain access to the data from the office, your home or an Internet café in the Bahamas.

But this easy access, returning to our earlier point, presents risks. Again, on a client-server network, access can be limited to allow only internal network access or specific IP addresses. This same restriction can be enforced by the SaaS provider—but you must depend on the vendor to ensure that access is properly restricted and that those restrictions are constantly enforced.

The Hybrid Solution

So where to go with these upsides and downsides? A good compromise to the typical SaaS model is a hybrid solution, in which the provider installs a rack unit on the firm’s premises that contains all the necessary hardware to provision a virtual environment. Just like a normal SaaS implementation, the client computers do not do any actual application processing. Effectively, they are just dumb terminals that transmit keyboard, mouse and screen data. In this way, the data is secured within the firm’s walls—but you’re not dependent on the stability or bandwidth of your Internet connection. Normal processing occurs locally on your firm’s LAN. It is inherently more secure because the information is not generally accessible from the outside world.

The nice part about a hybrid solution is that you get the stability of having your data stored locally and get lower costs because it is effectively a “drop in” solution. You can still remotely access the data while maintaining greater control over the access security.

Too often, all the costs and risks are not considered when analyzing a SaaS solution, with the ballyhoo tending to drown out reasonable objections. But this is the bottom line, from our perspective: Keep control of your own data. It will be cheaper and less risky in the long run, even if the SaaS provider doesn’t go out of business.

About the Editor

Sharon D. Nelsonand John W. Simekare President and Vice President, respectively, of Sensei Enterprises, Inc., a computer forensics and legal technology firm based in Fairfax, VA. They are coauthors of The 2009 Solo and Small Firm Legal Technology Guide (ABA, 2009).